RésuméCette documentation sur Kanet a été rédigée par Xavier Marty de l' Université de Toulouse 1 Capitole. Elle détaille d'une part l'installation et la configuration de Kanet sous F13 et REHL 6 et d'autre part la configuration du proxy pour les trois méthodes d'authentification supportées par Kanet : CAS, Radius et Shibboleth. Vous trouverez ici un tutoriel pas à pas relatif à l'installation et la configuration de Kanet pour Ubuntu 10.10.
Nécessite vala 0.11 minimum (cf fichier)
Installation possible mais problème pour la partie shibboleth
-
Nécessaire
yum install gcc
yum install libgee-devel sqlite-devel libsoup-devel json-glib-devel libdaemon-devel radiusclient-ng-devel
yum install libnetfilter_conntrack-devel libnetfilter_queue-devel
-
Mise à jour du vala
yum install gnome-common intltool libtool
rpm -Uvh vala-0.11.2-1.fc15.i686.rpm vala-tools-0.11.2-1.fc15.i686.rpm vala-devel-0.11.2-1.fc15.i686.rpm
-
Ajout base epel
rpm -Uvh http: // download.fedora.redhat.com / pub / epel / 6 / i386 / epel-release- 6 -5.noarch.rpm
-
Packages nécessaires pour kanet
yum install gcc kernel-headers
yum install libsoup-devel sqlite-devel libgee-devel
yum install json-c-devel radiusclient-ng radiusclient-ng-devel
yum install gnome-common intltool libtool
-
Packages installations à la main … récupérer
depuis la distribution fedora : http://MIRROIR_FEDORA/pub/fedora/linux/releases/14/Everything/i386/os/Packages/
rpm -Uvh json-glib- *
rpm -Uvh libdaemon- *
rpm -Uvh libnfnetlink- * libnetfilter_ *
rpm -Uvh vala- *
Liste des packages installés en janvier 2011
json-glib-0.10.4-3.fc14.i686.rpm json-glib-devel-0.10.4-3.fc14.i686.rpm libdaemon-0.14-1.fc13.i686.rpm libdaemon-devel-0.14-1.fc13.i686.rpm libnetfilter_conntrack-0.0.101-1.fc13.i686.rpm libnetfilter_conntrack-devel-0.0.101-1.fc13.i686.rpm libnetfilter_queue-0.0.17-2.fc12.i686.rpm libnetfilter_queue-devel-0.0.17-2.fc12.i686.rpm libnfnetlink-1.0.0-1.fc13.i686.rpm libnfnetlink-devel-1.0.0-1.fc13.i686.rpm vala-0.11.2-1.fc15.i686.rpm vala-devel-0.11.2-1.fc15.i686.rpm vala-tools-0.11.2-1.fc15.i686.rpm
yum install dnsmasq dhcp httpd mod_ssl
wget http: // kanet.googlecode.com / files / kanet-0.2.3.tar.bz2
. / waf configure # 1
. / waf # 2
. / waf install
Adapter si nécessaire le fichier wscript à la
racine du dossier kanet.
Il faut modifier l'appel au vala. Par défaut l'application
recherche vala, sous RedHat, il s'agit de libvala
:
# ...
conf.check_cfg ( package = 'libvala-0.12' , uselib_store = 'VALA' , atleast_version = '0.7.10' , args = '--cflags --libs' , mandatory =True ) # ...
- Liens symboliques : on recopie des librairies depuis /usr/local/lib/ dans /usr/lib/
cd /usr/local/lib/
cp lib* /usr/lib/
3 librairies présentes : libKanetAuthModule.so / libkanet-dummy.so / libkanet-radiusclient.so
Modifier le fichier hosts en rajoutant la
ligne
10.34.0.1 eduspot eduspot.univ.fr
-
Interface interne, fichier ifcfg-eth1
DEVICE="eth1"
HWADDR="MA-MAC"
IPADDR=10.34.0.1
NETMASK=255.255.0.0
NM_CONTROLLED="yes"
ONBOOT="yes"
-
Activer les services au démarrage au
démarrage –> httpd, dhcp, dnsmasq, shibd (cf plus bas
pour ce dernier)
-
Configuration dhcpd.conf
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample
# see 'man 5 dhcpd.conf'
#
ddns-updates off;
option domain-name-servers 10.34.0.1;
default-lease-time 600 ;
max-lease-time 7200 ;
authoritative;
subnet 10.34.0.0 netmask 255.255.0.0 {
option routers 10.34.0.1;
option broadcast-address 10.34.255.255;
range 10.34.1.0 10.34.254.255;
}
-
Dnsmasq –> aucune configuration
mkdir / usr / local / scripts /
vi kanet-firewall
#!/bin/sh
IPT = "/sbin/iptables"
IP_PRIVATE = "10.34.0.1" # <- A MODIFIER
NTINT = "eth1"
test -f $IPT || exit 0
case "$1" in
start ) echo -n "Loading kanet firewall's rules: " echo 1 > / proc / sys / net / ipv4 / ip_forward
# Flush table $IPT -t nat -F $IPT -t mangle -F $IPT -t filter -F
$IPT -t mangle -A PREROUTING -i $NTINT -j CONNMARK --restore-mark $IPT -t mangle -A PREROUTING -p TCP -i $NTINT -d $IP_PRIVATE -j ACCEPT $IPT -t mangle -A PREROUTING -p TCP -i $NTINT -m state --state NEW -j QUEUE
$IPT -t nat -A PREROUTING -p TCP -i $NTINT -j CONNMARK --save-mark # MARK 0xFFFFFFFF = Openacls $IPT -t nat -A PREROUTING -p TCP -i $NTINT -m mark --mark 0xFFFFFFFF -j ACCEPT
# MARK 0xFFFFFFFE = use http-to-https redirection (Not implemented) #$IPT -t nat -A PREROUTING -p TCP -i $NTINT -m mark --mark 0xFFFFFFFE -j DNAT --to-destination $IP_PRIVATE
# MARK 0x0 = unauthenticated - 80 is redirected to authentication page $IPT -t nat -A PREROUTING -p TCP --dport 80 -i $NTINT -m mark --mark 0 -j DNAT --to-destination $IP_PRIVATE : 8080
$IPT -A INPUT -p tcp --dport 8181 -j ACCEPT $IPT -A INPUT -p tcp --dport 8080 -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -j ACCEPT $IPT -A INPUT -p udp --dport 53 -j ACCEPT
# MARK 0x1 blacklistacls $IPT -t filter -A FORWARD -m mark --mark 0x1 -j REJECT
$IPT -t nat -A POSTROUTING -m mark ! --mark 0 -j MASQUERADE
echo "Done."
;;
stop ) echo -n "Flushing kanet firewall's rules: " echo 0 > / proc / sys / net / ipv4 / ip_forward
########################### # FLUSH TABLES ########################### $IPT -t filter -F $IPT -t nat -F $IPT -t mangle -F echo "Done."
;;
status ) # List tables echo echo "---------- FILTER TABLE -----------" echo $IPT -t filter -L -v echo echo "---------- NAT TABLE -----------" echo $IPT -t nat -L -v echo echo "---------- MANGLE TABLE -----------" echo $IPT -t mangle -L -v echo
;;
restart|force-reload )
$0 stop
$0 start echo "Done."
;;
* ) echo "Usage: /etc/init.d/kanet {start|stop|status|restart}" exit 1
;;
esac
exit 0
-
Récupérer les fichiers d'origine
cd / usr / local / share / kanet
cp -r * / var / www / html /
-
Pour l'authentification triple, utiliser le
fichier login.html ci-dessous
# ...
ServerName eduspot.univ.fr
# ...
< IfModule worker.c >
StartServers 20
MaxClients 1000
MinSpareThreads 200
MaxSpareThreads 250
ThreadsPerChild 50
MaxRequestsPerChild 0
</ IfModule >
# ...
Listen 8080
Listen 443
# ...
<VirtualHost 10.34.0.1: 443 > SSLEngine On SSLCertificateFile /REP/LE_CERTIF.crt SSLCertificateKeyFile /REP/LE_CERTIF.key SSLCertificateChainFile /REP/cachain.pem SSLVerifyClient none SSLProxyEngine On Alias /www /var/www/html/ ProxyPreserveHost On ProxyRequests On ProxyPass /www ! ProxyPass /Shibboleth.sso ! ProxyPass / http://127.0.0.1:8181/ disablereuse=on retry=0 flushpackets=on ProxyPassReverse / http://127.0.0.1/ ProxyTimeout 3 <location / www> < / location> <location / > AuthType shibboleth Require shibboleth ShibUseHeaders On < / location> <location / login_shibboleth> Allow from all AuthType shibboleth ShibRequireSession On require valid-user < / location> ErrorLog /var/log/httpd/error_eduspot.log LogLevel warn CustomLog /var/log/httpd/access_eduspot.log combined < / VirtualHost> <VirtualHost 10.34.0.1: 8080 > RewriteEngine On #RedirectMatch .* https://cas.univ.fr/cas/login/?service=https://eduspot.univ.fr/login_cas/ RedirectMatch .* https://eduspot.univ.fr/www/login.html ErrorLog /var/log/httpd/error_eduspot.log LogLevel warn CustomLog /var/log/httpd/access_eduspot.log combined < / VirtualHost>
Modifier les fichiers radiusclient.conf et servers
# ...
auth_order radius # Mettre uniquement radius et enlever local
# ...
authserver radius.univ.fr
# ...
acctserver radius.univ.fr
# ...
# Indiquer le serveur et le pass
radius.univ.fr MON_PASS
Cf config kanet.conf et/ou documentation de Jérôme pour modifier
à la fois le kanet.conf et le eduspot.conf (apache) pour de
réaliser que des authentifications CAS.
wget -O / etc / yum.repos.d / security_shibboleth.repo http: // download.opensuse.org / repositories / security: / shibboleth / RHEL_6 / security:shibboleth.repo
echo "protect=1" >> / etc / yum.repos.d / security_shibboleth.repo
wget -O / etc / pki / rpm-gpg / RPM-GPG-KEY-shibboleth-security http: // download.opensuse.org / repositories / security: / shibboleth / RHEL_6 / repodata / repomd.xml.key
yum install xmltooling log4shib xerces-c xml-security-c xmltooling opensaml shibboleth curl-openssl
shibboleth2.xml pour la fédération de test
<SPConfig xmlns = "urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf = "urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml = "urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp = "urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md = "urn:oasis:names:tc:SAML:2.0:metadata" logger = "syslog.logger" clockSkew = "180" > <OutOfProcess logger = "shibd.logger" > </OutOfProcess > <InProcess logger = "native.logger" > <ISAPI normalizeRequest = "true" safeHeaderNames = "true" > <Site id = "1" name = "eduspot.univ.fr" /> </ISAPI > </InProcess > <UnixListener address = "shibd.sock" /> <StorageService type = "Memory" id = "mem" cleanupInterval = "900" /> <SessionCache type = "StorageService" StorageService = "mem" cacheTimeout = "3600" inprocTimeout = "900" cleanupInterval = "900" /> <ReplayCache StorageService = "mem" /> <ArtifactMap artifactTTL = "180" /> <RequestMapper type = "Native" > <RequestMap applicationId = "default" > <Host name = "eduspot.univ.fr" > <Path name = "secure" authType = "shibboleth" requireSession = "true" /> </Host > </RequestMap > </RequestMapper > <ApplicationDefaults id = "default" policyId = "default" entityID = "https://eduspot.fr/login_shibboleth" REMOTE_USER = "eppn targeted-id" signing = "false" encryption = "false" > <Sessions lifetime = "28800" timeout = "3600" checkAddress = "false" handlerURL = "/Shibboleth.sso" handlerSSL = "false" exportLocation = "/Shibboleth.sso/GetAssertion" idpHistory = "false" idpHistoryDays = "7" > <SessionInitiator type = "Chaining" Location = "/WAYF" id = "WAYF" relayState = "cookie" > <SessionInitiator type = "SAML2" acsIndex = "1" template = "bindingTemplate.html" /> <SessionInitiator type = "Shib1" acsIndex = "5" /> <SessionInitiator type = "WAYF" acsIndex = "5" URL = "https://services-federation.renater.fr/test/wayf/" /> </SessionInitiator > <md:AssertionConsumerService Location = "/SAML2/POST" index = "1" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" /> <md:AssertionConsumerService Location = "/SAML2/POST-SimpleSign" index = "2" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" /> <md:AssertionConsumerService Location = "/SAML2/Artifact" index = "3" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" /> <md:AssertionConsumerService Location = "/SAML2/ECP" index = "4" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" /> <md:AssertionConsumerService Location = "/SAML/POST" index = "5" Binding = "urn:oasis:names:tc:SAML:1.0:profiles:browser-post" /> <md:AssertionConsumerService Location = "/SAML/Artifact" index = "6" Binding = "urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" /> <LogoutInitiator type = "Chaining" Location = "/Logout" relayState = "cookie" > <LogoutInitiator type = "SAML2" template = "bindingTemplate.html" /> <LogoutInitiator type = "Local" /> </LogoutInitiator > <md:SingleLogoutService Location = "/SLO/SOAP" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:SOAP" /> <md:SingleLogoutService Location = "/SLO/Redirect" conf:template = "bindingTemplate.html" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" /> <md:SingleLogoutService Location = "/SLO/POST" conf:template = "bindingTemplate.html" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" /> <md:SingleLogoutService Location = "/SLO/Artifact" conf:template = "bindingTemplate.html" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" /> <md:ManageNameIDService Location = "/NIM/SOAP" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:SOAP" /> <md:ManageNameIDService Location = "/NIM/Redirect" conf:template = "bindingTemplate.html" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" /> <md:ManageNameIDService Location = "/NIM/POST" conf:template = "bindingTemplate.html" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" /> <md:ManageNameIDService Location = "/NIM/Artifact" conf:template = "bindingTemplate.html" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" /> <md:ArtifactResolutionService Location = "/Artifact/SOAP" index = "1" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:SOAP" /> <Handler type = "MetadataGenerator" Location = "/Metadata" signing = "false" /> <Handler type = "Status" Location = "/Status" acl = "127.0.0.1" /> <Handler type = "Session" Location = "/Session" showAttributeValues = "false" /> </Sessions > <Errors supportContact = "root@localhost" logoLocation = "/shibboleth-sp/logo.jpg" styleSheet = "/shibboleth-sp/main.css" /> <MetadataProvider type = "Chaining" > <MetadataProvider type = "XML" uri = "https://services-federation.renater.fr/metadata/renater-test-metadata.xml" backingFilePath = "/etc/shibboleth/renater-test-metadata.xml" reloadInterval = "7200" > <MetadataFilter type = "RequireValidUntil" maxValidityInterval = "2419200" /> <MetadataFilter type = "Signature" certificate = "/etc/shibboleth/metadata-federation-renater.crt" /> </MetadataProvider > </MetadataProvider > <TrustEngine type = "Chaining" > <TrustEngine type = "ExplicitKey" /> <TrustEngine type = "PKIX" /> </TrustEngine > <AttributeExtractor type = "XML" validate = "true" path = "attribute-map.xml" /> <AttributeResolver type = "Query" subjectMatch = "true" /> <AttributeFilter type = "XML" validate = "true" path = "attribute-policy.xml" /> <CredentialResolver type = "File" key = "/REP/LE_CERTIF.key" certificate = "/REP/LE_CERTIF.crt" /> </ApplicationDefaults > <SecurityPolicies > <Policy id = "default" validate = "false" > <PolicyRule type = "MessageFlow" checkReplay = "true" expires = "60" /> <PolicyRule type = "Conditions" > <PolicyRule type = "Audience" /> </PolicyRule > <PolicyRule type = "ClientCertAuth" errorFatal = "true" /> <PolicyRule type = "XMLSigning" errorFatal = "true" /> <PolicyRule type = "SimpleSigning" errorFatal = "true" /> </Policy > </SecurityPolicies > </SPConfig >
-
Récupérer le certificat de la fédération
wget https: // services-federation.renater.fr / metadata / metadata-federation-renater.crt -O / etc / shibboleth / metadata-federation-renater.crt
-
Récupérer les metadata
wget https: // services-federation.renater.fr / metadata / renater-test-metadata.xml -O / etc / shibboleth / renater-test-metadata.xml
Informations techniques :
→ A REVOIR
|